Connect With Us

Thursday, July 23, 2015

Building a Business Aligned Security Strategy for Our Organization

Wazzup Pilipinas!

"I am looking at these security solutions because they protect these assets that drives 3 million dollars of revenue for our organization. Can you please approve this." is a much better statement to hear from the IT manager than just saying "Please approve this firewall that we need to buy." The CEO or CFO would know that we are thinking about the business. Remapping your proposal using business lingo is a more effective way to convince management to approve your plans.

The same way that Fortinet does not hard sell their products. They try to understand the situation of the organization so they could pinpoint the actual weakness in the security infrastructure to provide the better solution to their needs or requirements. It's not about quickly offering an equipment that they can buy to address the issues but to understand first the problem like the challenges and specific points that needs protection. There really is a need to see the big picture before a recommendation should be given.

It's basically educating the clients on what are the possible things to do or maximize on their existing infrastructure rather than letting them figure it out on their own and adjust on the product's capabilities and limitations. This allows the clients to get the most appropriate solution from Fortinet.

At an intimate media discussion, experts from Fortinet led by Alvin Rodrigues, Fortinet Marketing Development Director for Southeast Asia and Hong Kong.

Also present during the discussions where Jeff Castillo, Managing Country Director of Fortinet, Nap Castillo, Regional Pre-Sales Consultant of Fortinet and Rachelle Alcantara, Channel Account Manager of Fortinet.

The event was held at Café 1771 located at Greenbelt 5 in Makati city and attended by select members of the media. A presentation was held while food was being served to everyone. We enjoyed a delightful feast from Café 1771 while questions were being thrown to the Fortinet guys.

Alvin discussed the possible framework composed of the basic steps model to build a business aligned security strategy that should encourage businesses to rethink their existing business strategies and to look at security more holistically - To look at security in a business per se. This is because if we want to align something to the business, we need to understand the business.

The framework he discussed was generated out from their interactions with more than 200 executives (right now its close to 300 executives already which are also validated over and over again against the values within the organization ) and it focused on how security supports changes in market dynamics and also on customer expectations. It identifies and protects business critical assets and could potentially lead to a corporate aware security culture. We must understand that a business-aligned security is not a substitute to the existing risk-based security framework. It leverages new technology for a competitive advantage.

Security is on top of mind of both management and executives but from a CIO perspective how does it become palatable in front of a business strategy discussion? How do they talk about security in the board room? How do they look at security to move it from the back office to the front office, in front of program development, in front of an organization thinking about growth or expansion strategy,
Organizations are using more online or Internet as a platform to do business. Even though the Internet has been popular for so many years already, the current years are evident that businesses are now more mature in embracing Internet technologies such as social media, big data, analytics, and mobility.

We are no longer bounded to interact and transact using our computers and laptops or notebooks. Smartphones and tablets are now recognized as continuously increasing in market share as the preferred access device of many consumers. There has been a significant decline in the demand for PCs and notebooks in favor of the more handy or portable mobile devices. Naturally, everyone wants a level of convenience out of every experience.

Alvin also mentioned that hackers may already be attempting to penetrate into our mobile transactions (or they might already be in). I hate to think that my online purchases may be compromised while I shop a wide variety of accessories online through Zalora's Mobile App, or as I book a taxi using Grab Taxi’s Mobile App, or when I order food for delivery using foodpanda’s Mobile App.

Alvin's presentation was very detailed and full of many takeaways

But we really have to strengthen our security measures now that mobile transactions are getting to be very popular and user-friendly due to the many apps that are quickly making our lifestyle more convenient and fast-paced. Thus companies should be able to respond appropriately to the increasing demand in mobile transactions which prompts many to setup end-user experience management strategies.

End user (customer) experience management is a new term coined only in the last 12 months, whereby vendors and sellers are looking at how to capitalize and meet or even exceed customer expectations. One very bad experience right now can be easily translated very massively over social media and viral marketing just as how a good experience can also trend online.

Fortinet guys answering inquiries from members of the media

CIOs are concerned about customer relationship for two basic reasons: how to retain existing customers and how to expand or grow the share or volume of their existing customers. When we have happy customers, we automatically get them to share their experience to their friends. The resulting word of mouth promotion instantly provides free marketing to the brand or company which will encourage their friends and colleagues to also try out their recommendations. They become your evangelists telling other people about you.

Identify our business' critical assets and do not look at security as a homogenous solution where we provide the same level of parameter protection. We must understand that some assets are more important than others thus requiring more security. It should be a tiered, a bit biased, a bit appreciated level of protection.

Fortinet listening to our inquiries

The presentation, discussion and meals were all filling that it's more like an information overload within just a few hours

Organizations should build a corporate-aware security culture. We may have security visibility and awareness but it doesn't necessarily translate to enforcement. For many of us, it is only becoming second in nature. It should be enforceable and ingrained into us that this is the way to do things.

This proposed framework should work in conjunction with existing frameworks and not to replace but to extend the value of security.

Risk-based security is a notch above mere compliance and in IDC's view, business-aligned security is another notch above. Many of the compliance tells you that you need a firewall, but it doesn't tell you what kind of firewall. It tells you that you need testing but it doesn't tell you what kind of testing like penetration, vulnerability, appliance or business resiliency security posture testing. This is where the business-aligned seeks to differentiate.

Focus on our customers. Identify our customer expectations. The IT department needs to look at the alignment and should be able talk the right language with the executives. We need to be able to articulate the value we need to bring to the end users. We need to identify who are our customers and what are the personas we are dealing with. There are three types of customers, one is the consumer, the business customer, and institutional customers - those who look at investment relationships and so on. Each one of these groups has a different level of expectations.

We need to identify the business value proposition that meets or exceeds customer expectations so we can capture the market. Some organizations are known for their reputation or good production services or design and user-friendliness, easy to maintain or repair, of their product, and most especially quickness to respond. Since we live in a fast-paced environment thanks to the advancement in technology especially portable or mobile gadgets, end users think about what businesses can do for them very quickly. The sense of security in engaging with them is also given importance by the customers just as how they transact with banks where the level of security gives them peace of mind knowing their money is in safe hands.

It is important to note that a business' critical asset is a dynamic asset - an asset that is critical today but may not be critical tomorrow. We need to be able to adapt to the behavioral changes of our customers. IT and security needs to ensure that our assets that are driving or meaningful to business have the protection needed to prevent it from being disrupted.

Anything that impacts business continuity, revenue, profits and market share are critical assets.

Introducing a business-aligned security framework

Our organization needs to talk more about our needs at a more intimate level

Identify the kind of threats that are pervasive and prevailing in our industry and then map the right countermeasures for the identified threats. We are not going to spend money on security that is something least prevailing. Anything that disrupts services becomes a problems because any bad user experience also becomes a problem. This requires us to keep our online services up and always going smoothly so users would not be experiencing an interruption or no access at all.

Alvin goes on to discuss about establishing protection (Visibility and Intelligence, Security solutions, security management processes) where detection, mitigation and remediation were discussed and this is where Fortinet introduced their Unified Threat Management Methodology.

Lastly is to build a corporate aware security culture since the human element has always been the weakest link that needs to be able to recognize the face of threat. Security should be the responsibility of every employee within the organization. Every employee needs to have the basic insight to recognize and remedy the first signs of threat. Security in place also adds quality to the organization.

This leaves us to reexamine our corporate security implementation, and encourages us to reconsider establishing a framework that's more comprehensive in security preparedness.

Fortinet assures that an in-depth study of our security requirements by understanding the whole scenario is essential if we really want to arrive at a more strategic solution to our needs. It is beyond just selling the infrastructure to our customers but more about a deeper relationship .

WazzupPilipinas.com is the fastest growing and most awarded blog and social media community that has transcended beyond online media. It has successfully collaborated with all forms of media namely print, radio and television making it the most diverse multimedia organization.
The numerous collaborations with hundreds of brands and organizations as online media partner and brand ambassador makes WazzupPilipinas.com a truly successful advocate of everything about the Philippines, and even more since its support extends further to even international organizations including startups and SMEs that have made our country their second home.